Nebula 是一个云和(希望如此)DevOps 渗透测试框架。它为每个提供者和每个功能构建了模块。截至 2021 年 4 月,它仅涵盖 AWS,但目前是一个正在进行的项目,并有望继续发展以测试 GCP、Azure、Kubernetes、Docker 或 Ansible、Terraform、Chef 等自动化引擎。
目前涵盖:
- S3 存储桶名称暴力破解
- IAM、EC2、S3 和 Lambda 枚举
- IAM、EC2 和 S3 漏洞利用
- 自定义 HTTP 用户代理
目前有50个模块:
- 侦察
- 枚举
- 开发
- 清理
1、从 Github 克隆 Nebula Repo 并拉取 Nebula Docker 镜像:
git clone https://github.com/gl4ssesbo1/Nebula
docker pull gl4ssesbo1/nebula:latest 复制
然后通过以下方式运行 main.py:
docker run -v Nebula:/app -ti gl4ssesbo1/nebula:latest main.py 复制
2、从 Github 克隆 Nebula Repo 并在本地构建 Docker 镜像:
git clone https://github.com/gl4ssesbo1/Nebula
docker build -t nebula 复制
然后通过以下方式运行 main.py:
docker run -v Nebula:/app -ti nebula main.py 复制
Nebula用python3.8编码,它使用 boto3 库来访问 AWS、只需安装 python 3.8+ 并从requirements.txt安装所需的库。
python3.8 -m pip install -r requirements.txt 复制
然后安装会话管理器插件。这是 SSM 模块所必需的:
curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb"
dpkg -i session-manager-plugin.deb 复制
在 Windows 设备上,由于没有安装 less,我从https://github.com/jftuga/less-Windows得到了一个 预构建的二进制文件保存在目录 less_binary 中。只需将该目录添加到 PATH 环境变量中就可以了。
然后运行main.py
python3.8 ./main.py 复制
python3.9.exe .\main.py -b
-------------------------------------------------------------
50 aws 0 gcp 0 azure 0 office365
0 docker 0 kubernetes
-------------------------------------------------------------
50 modules 2 cleanup 0 detection
41 enum 6 exploit 0 persistence
0 listeners 0 lateral movement 0 detection bypass
0 privesc 1 reconnaissance 0 stager
-------------------------------------------------------------
()()(AWS) >>> 复制
()()(AWS) >>> help
Help Command: Description:
------------- ------------
help Show help for all the commands
help credentials Show help for credentials
help module Show help for modules
help workspace Show help for credentials
help user-agent Show help for credentials
Module Commands Description
--------------- -----------
show modules List all the modules
show enum List all Enumeration modules
show exploit List all Exploit modules
show persistence List all Persistence modules
show privesc List all Privilege Escalation modules
show reconnaissance List all Reconnaissance modules
show listener List all Reconnaissance modules
show cleanup List all Enumeration modules
show detection List all Exploit modules
show detectionbypass List all Persistence modules
show lateralmovement List all Privilege Escalation modules
show stager List all Reconnaissance modules
use module <module> Use a module.
options Show options of a module you have selected.
run Run a module you have selected. Eg: 'run <module name>'
search Search for a module via pattern. Eg: 'search s3'
back Unselect a module
set <option> Set option of a module. Need to have the module used first.
unset <option> Unset option of a module. Need to have the module used first.
User-Agent commands Description
------------------- -----------
set user-agent windows Set a windows client user agent
set user-agent linux Set a linux client user agent
set user-agent custom Set a custom client user agent
show user-agent Show the current user-agent
unset user-agent Use the user agent that boto3 produces
Workspace Commands Description
------------------ -----------
create workspace <wp> Create a workspace
use workspace <wp> Use one of the workspaces
remove workspace <wp> Remove a workspace 复制
模块:
()()(AWS) >>> show modules
cleanup/aws_iam_delete_access_key Delete access key of a user by providing
it.
cleanup/aws_iam_delete_login_profile Delete access of a user to the Management
Console
enum/aws_ec2_enum_elastic_ips Lists User data of an Instance provided.
Requires Secret Key and Access Key of an IAM that has access
to it.
enum/aws_ec2_enum_images List all ec2 images. Needs credentials of an
IAM with DescribeImages right. Output is dumpled on a file.
It takes a sh*tload of time, unfortunately. And boy, is it a
huge output.
enum/aws_ec2_enum_instances Describes instances attribues: Instances, VCP,
Zones, Images, Security Groups, Snapshots, Subnets, Tags,
Volumes. Requires Secret Key and Access Key of an IAM that
has access to all or any of the API calls:
DescribeAvailabilityZones, DescribeImages,
DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,
DescribeSnapshots, DescribeSubnets, DescribeTags,
DescribeVolumes, DescribeVpcs 复制